Loudmouth Android Malware Speaks Your Secrets

A new type of Android malware talks about you behind your back — and like a rebellious teenager, it doesn’t need your permission to blab your secrets late into the night.

Security experts at the Chinese University of Hong Kong detailed the malicious app, which they created and called VoicEmployer, in a paper titled “Your Voice Assistant Is Mine.” It leverages Android’s Google Voice Search, and since users generally need to be present for voice commands to work, no permissions are necessary for the app.

Once VoicEmployer is installed on a phone, it plays a low-volume audio file that says “Call number,” then recites a phone number belonging to the malware’s controllers. Google Voice Search hears the command and dials the number. Before you know it, your phone is whispering your sensitive data into the microphone.

VoicEmployer might not be a particularly efficient method of data exfiltration, since calling victims at inopportune times and listening to data being recited takes some doing. But it could be an ideal way to target individuals, either to steal information from them or to wage psychological warfare through alarms in the middle of the night, whispered threats and the like.

Testing VoicEmployer on a Samsung Galaxy S3, a Meizu MX2 and a Motorola A953 (renamed Droid 2 in the United States), the researchers also found a vulnerability that lets VoicEmployer activate features even when the phone is locked. The malware tricks the phone into thinking a Bluetooth device — which, by default, can make hands-free voice commands to a phone — is connected.

“In theory, nearly all Android devices equipped with Google Services Framework [Google’s built-in Android apps such as Voice Search] can be affected,” the researchers wrote in their paper.

It was previously thought that apps with zero permissions couldn’t do much damage, because they shouldn’t be able to access a phone’s most sensitive features. Yet if security experts could come up with such a program, so could enterprising cybercriminals. An app that required no permission could easily hide in any other app, including social media, streaming video or games.

There isn’t much users can do to prevent this from happening; the fix to Google Voice Search will have to come from Google’s end. Until then, avoid apps from questionable developers, keep your phone close at hand and consider turning it off at night — or checking the call record in the morning.